Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 9138585dea278d62…

MALICIOUS

PDF / .SWA

6.7 KB Created: 2010-09-03 08:30:37 Authoring application: Xijokanilohova (via b87e0Kmgxaloxaxgi)
MD5: 6be33fc51e892ed0fe2d87496b9ad0ac SHA-1: 0d8bd740f5a86d68929d734a9c975c81a59fa0ee SHA-256: 9138585dea278d62c314afa76f7d73aaacaac078655dd4abafd9956029fa872b
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further suggests malicious intent. The embedded JavaScript is likely responsible for executing the malicious payload, though its exact function is obscured by obfuscation. The file's metadata indicates it was authored by 'Xijokanilohova (via b87e0Kmgxaloxaxgi)', which may be a clue to the actor.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
d75aba2bc241d027161697fa7aada0bf45c7afe5b58fce1bb0bf66350349f123		 pdf-javascript-stream PDF /JS object 11 at offset 0x1208 1983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.